1. Technical Field
The present invention relates to methods and apparatus for providing a business service to identify the source of a computer virus on a network using a promiscuous system.
2. Description of Related Art
The detection of computer viruses is a well-understood technology. There are several large companies involved in the business of virus detection and elimination including Symantec, McAffee, Shiva, and Intel. Some of these products, specifically Symantec, offer a corporate version of their software for administration and use on internal corporate networks, or intranets. In this configuration, the virus detection client software is installed on each client computer and the virus checker is run at specified intervals to check for viruses on that client machine. If a virus is detected, the client program informs the user that a virus has been detected and takes automatic action or prompts the user for an action depending on the administrative settings.
When a virus is detected, the user is generally instructed to quarantine the infected file or files, removing them from use on the current system. Once the files have been quarantined, the user can begin to use the system once again. The user may then be instructed to contact the system administrator or IT department to alert them of the virus.
The problem with this strategy is that significant damage to the system may already be done before the virus is detected. Some viruses called worms [Syman1] are capable of destroying hundreds or even thousands of files before they are detected. Worse, by the time the client machine has detected the virus, the virus may have cloned itself on another machine on the network or on a network share. From the network share, the virus can begin deleting files and cloning itself onto other client systems. Finding the source of the virus and removing any trace of it on the network usually requires that the network server be shut down, the network shares removed, and each client machine disinfected while disconnected from the network.
To be sure a virus has been totally eliminated, it is desirable to know where the virus originated so that particular machine can be properly disinfected. This can be difficult to determine, however, especially in large corporate networks where the user may not have anti-virus software installed, or a where they have dialed in, unknowingly deposited a virus, and then logged off. If the network is disinfected, it will become infected again when the offending user reconnects. It is important to identify the offending system to prevent re-infection from occurring.
In most cases, the offending user spreads the virus without realizing it. A class of viruses called “worms” work by erasing files or setting their file length to zero, effectively rendering them useless. Worms are usually not recognized by firewall software or filters, and arrive at the users machine looking like a normal executable image or script file. When the user clicks on the file, it immediately clones itself and looks for a new system on the network to be a willing host for the worm. When it finds a willing host, it installs itself and runs again, looking for yet another willing host. These worms need a willing and promiscuous host to provide them with the privileges necessary to do their nasty deed. They seek out systems on the network that have write access to computers or shares, then use that capability to remove files on other systems.
In most networks, it is normal practice for the systems to access a shared storage of some type, perhaps another computer's hard drive, as a shared medium. This is referred to as a share or network share, and it allows users to easily share information, programs, files, and documents located in a single place. Each system that requires access to the share has that access granted to it by the system administrator or by the policies of the network server. Systems without access to the share cannot read from or write to the share. Read and write access can be granted separately for each system that has access to the share.
In the case of viruses that replicate with other systems, it is likely that the virus had already replicated before the detection. In this case, disinfecting the current system will not help, since the virus will quickly replicate itself back on the current system. In order to effectively disinfect the neighboring machines, each machine must be disconnected from the network, disinfected, and then placed back on the network only after each networked client has been checked and disinfected. The source of the worm must be found and eliminated, otherwise the risk of re-infection is extremely high.
This can be a lengthy procedure, and can be difficult for novice users or administrators to implement. Although most corporations with large networks have policies against downloading potentially harmful content, smaller companies with less experienced staff are more likely to download potentially harmful content.
Therefore, a method, system, and computer program product that allows viruses to be detected, located, and eliminated without requiring great skill on the part of an administrator is desirable.